Microsoft sees drop in ransomware reaching encryption phase

While ransomware remains a prevalent threat, Microsoft has observed a shift as the number of attacks that reached the encrypted stage decreased dramatically over during  the past two years.

Microsoft published its Digital Defense Report 2024 Tuesday, which comprised comprises data and threat intelligence from July 2023 through June 2024. The report covered several trends across the evolving threat landscape, including ransomware activity, which Microsoft referred to as "one of the most serious cybersecurity concerns."

Microsoft highlighted the top five ransomware groups, which it said accounted for 51% of attacks it observed against customers. The Akira ransomware gang claimed the top spot, followed by the LockBit,  -- which was recently disrupted again by law enforcement agencies,  -- at number twoNo. 2.

Though Microsoft attributed the groups' "longstanding techniques" to how they've remained effective over the years, the report cited a shift in attack outcomes.

"Among our customers, Microsoft observed a 2.75x increase year over year in human-operated ransomware-linked encounters (defined as having at least one device targeted for a ransomware attack in a network). Meanwhile, the percentage of attacks reaching actual encryption phase has decreased over the past two years by threefold," Microsoft wrote in the report. "Automatic attack disruption contributed to this positive trend in decreasing successful attacks."

Some ransomware gangs in recent years have shifted away from encrypting systems and toward data theft and extortion attacks. A prime example of such activity is the Clop ransomware gang campaign against Progress Software customers, during which a threat actor exploited a zero-day vulnerability in Progress' MoveIt Transfer product and stole data from more than 2,000 organizations.

It's unclear if this shift contributed to the decrease Microsoft observed. TechTarget editorial Editorial contacted Microsoft for comment on the matter.

Despite the positive news, organizations also faced many challenges. Unmanaged devices continued to pose a significant risk for victim organizations.

"In more than 90% of cases where attacks progress to ransom stage, the attacker had leveraged unmanaged devices in the network, either to gain initial access or to remotely encrypt assets at the impact stage," the report said.

Microsoft also said social engineering techniques like phishing, SMS phishing and voice phishing, stolen credentials, and vulnerability exploitation are the most prevalent methods threat actors used to gain initial access. Microsoft warned that attackers often exploited newly identified CVEs that received CVSS scores above 8.

Microsoft is not the only vendor to observe this trend. Earlier this year, Cisco Talos published research that showed ransomware gangs, including LockBit, had shifted more toward exploiting known and zero-day vulnerabilities during the initial attack phase.

Once the ransomware actors gained initial access, Microsoft found attackers commonly tampered with or disabled security products to evade detection and maintain persistence in the victim environment. During RSA Conference 2024, SentinelOne also warned that ransomware groups were becoming better at evading endpoint detection and response (EDR) tools by leveraging more commercial tools.

In the report, Microsoft said it observed techniques like manipulating Windows Registry modifications and deploying malicious tooling such as NSudo, Defender Control, Configure Defender and ToggleDefender. Microsoft also found that ransomware actors deployed custom malicious PowerShell or batch scripts and commands to evade threat detection and response tools.

"Microsoft consistently observes a prolific number of attacks involving antivirus tampering. In May 2024, Microsoft Defender XDR detected over 176,000 incidents involving tampering with security settings, impacting more than 5,600 organizations," the report said.

Following successful compromise, Microsoft said ransomware actors commonly targeted privileged accounts so they could use elevated access to change any policy settings, including security modifications. To combat those risks, Microsoft recommended that organizations configure the Disable Local Admin Merge setting to limit attackers' ability to make administrator-level antivirus policy changes.

Microsoft added that public-private partnerships are essential to quelling the ransomware threat. To that end, the tech giant highlighted its contributions to recent law enforcement efforts, which include the disruption of ransomware gangs and the arrests of several members of Octo Tempest, a cybercriminal group more commonly known as Scattered Spider.

"The past year has proved once again that defeating ransomware threats requires a layered and multitiered approach," the report said. "One of those tiers needs to focus on disrupting actors responsible for this activity in the real world."

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.